Getting x509: certificate has expired or is not yet valid in custom cluster

fernet0 · May 18, 2020, 3:13pm

Hi, I’m getting the following error in the rancher master
6 controllermanager.go:184] error building controller context: failed to wait for apiserver being healthy: timed out waiting for the condition: failed to get apiserver /healthz status: Get https://localhost:6443/healthz?timeout=32s: x509: certificate has expired or is not yet valid

I cannot rotate the certificates since the master is down and it restarts constantly. This cluster is not managed by rke, the nodes were added manually.

What to do in this case? The workers nodes are still up but I cannot get the rancher server up.

a13r · May 19, 2020, 12:00pm

Hey,

I have the same problem: I would have to rotate the certificates but rancher won’t start since the certificates are expired. How can I rotate the certificates manually?

a13r · May 19, 2020, 12:49pm

ok, after an upgrade to Rancher 2.4.3, Rancher started successfully. Apparently, the certificates of the kube-apiservers were valid, as I found out using openssl s_client.

fernet0 · May 19, 2020, 4:13pm

I restored snapshots for the rancher master and etcd VMs, then I followed the workaround 2 from here: https://github.com/rancher/rancher/issues/26984 and it worked.

Topic		Replies	Views
(Urgent) Unable to connect to the server: x509: certificate has expired or is not yet valid Rancher	1	1788	November 23, 2022
Certificate rotation problems Rancher	0	581	June 17, 2021
X509 Certificate Error When Certificate isn't expired Rancher	0	464	October 4, 2021
X509 certificate has expired or is not yet valid Rancher	13	25721	October 19, 2022
Expired certificates - Not sure what to renew Rancher	4	7919	August 18, 2022

Getting x509: certificate has expired or is not yet valid in custom cluster

Related Topics